Cover Page of the NSCITF Report. Photo Credit: GSSR
By: Jack Lucas, former Deputy Editor
At an ODNI building in early November, dozens of professionals from around the intelligence community (IC) gathered around a large conference room, taking all the chairs around the long table and filling nearly every extra seat in the room. They were brought together to address an issue especially critical to intelligence work: insider threat. The group of professionals represented the ODNI’s National Insider Threat Task Force (NITTF), formed in 2011 to better understand, detect, and prevent the increasingly intractable problem of insider threat. They were brought to this particular meeting, however, by Georgetown University’s National Security Critical Issue Task Force (NSCITF), a course in the Security Studies Program (SSP) designed not only to simulate a national security task force in a classroom environment but to produce valuable analysis on a real-world problem. Georgetown’s Task Force, taught by Professor Carol Rollie Flynn and Professor Jeffrey Connor, completed a thorough analytical report entitled “Millennial Considerations on Insider Threat: Are We a Threat or an Opportunity?”
The meeting was led by six SSP students who completed the NSCITF course in the spring of 2018 as well as Professor Flynn, herself a 30-year veteran of the CIA. They opened the two-hour briefing by highlighting that the students chose this topic because they felt it was crucial for millennials–anyone born between the years of 1980 and 2000–considering work in the national security space. Professor Flynn explained that the goal of NSCITF was to “take a hard problem and run it like a task force,” providing SSP students with the opportunity to experience a fast-paced simulation while addressing real-world problems. ODNI’s NITTF, which consisted of senior-level officials from around the IC, were immediately interested in a millennial perspective on the millennial dimension of the already complex insider threat issue.
NSCITF defines insider threat as “the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”[i] While insider threat is a concern for all organizations due to the inherent difficulty in detection and the high potential for damage, the IC has significant cause for alarm, with past malicious insider threats like Aldrich Ames leading to compromised sources, methods, and even loss of life. Each of the NSCITF representatives presented a portion of the brief, highlighting their key findings and recommendations for mitigating the threat.
Throughout the duration of the course, the students engaged in interviews, collected relevant research, and circulated surveys designed to examine the vulnerabilities to which millennials may be uniquely susceptible. This informed key findings that the students collated in their final report and presented to the NITTF. The NITTF dug to the heart of the matter by asking, “What makes millennials different from previous generations?” NSCITF found, through surveys, investigation, and their own experience, that millennials are more likely to desire horizontal and transparent organizational structures (where they can, for example, easily speak to their supervisors and managers via an open-door policy) and are more motivated by mission impact. Additionally, due to higher education becoming a near necessity in most entry-level jobs, many millennials will enter work with significant student debt. Consequently, they tend to be more risk-averse in their careers to maintain their steady income. But millennials are not all that dissimilar to other generations. Surprisingly to some, the NSCITF observed that millennial values in the workplace are mostly congruent with previous generations. Surveys show that retirement plans, pensions, and health benefits rank almost exactly as important to millennials as they do to baby boomers. But pension programs have nearly vanished, and health benefits simply don’t go as far anymore. This creates a dilemma where even successful millennials are unable to acquire the things they value from their workplace and are thus more likely to become disengaged and dissatisfied, raising the probability of them becoming an insider threat. Despite all this, millennials have so far been responsible for fewer malicious insider threat incidents than previous generations.
As the meeting approached its end, the NSCITF students presented five recommendations for how organizations wary of insider threat could better adapt to millennials:
- Provide programs that reward employee longevity and provide pathways for professional development
- Flatten management structures and create a more interactive work environment
- Develop and implement a comprehensive insider threat framework for the organization
- Prioritize community-building events that increase face-to-face interaction
- Combat negative personality traits promoted online and foster positive generational attributes through education and public outreach
The two hours spent with NITTF evolved from a typical brief into a dialogue between the two task forces present, with the occasional whispered side conversation in reaction to points presented by the students that seemed to inspire further interest from the professionals in the room. It was clear from the fact that so many NITTF members set aside over two hours of their day for this event that the NSCITF succeeded in identifying an especially salient problem. In closing, the NITTF agreed with the students that insider threat can never be completely prevented, even with the most advanced technical tools, because it is a fundamentally human problem. The only way forward is for creative professionals to find ways to understand, prevent, detect, and respond to insider threat as it morphs and evolves.
Find Georgetown’s NSCITF recommendation paper published on GSSR here.
[i] Daniel Costa, “CERT Definition of ‘Insider Threat’ – Updated,” accessed November 15, 2018, https%3A%2F%2Finsights.sei.cmu.edu%2Finsider-threat%2F2017%2F03%2Fcert-definition-of-insider-threat—updated.html.